Download 14-crypto-public-key

Public Key Cryptography
David Brumley
[email protected]
Carnegie Mellon University
Credits:
Many slides from Dan Boneh’s June 2012 Coursera crypto class, which is awesome!
Key management
Problem: Communicating among n users.
k1,2
U1
k1,4
U4
k4,2
U2
k1,3
k4,3
k3,2
U3
Total: O(n) keys per user
2
One Solution: Trusted Third Party (TTP)
Everyone needs only one key
U1
k1,TTP k2,TTP
U2
TTP
k4,TTP k3,TTP
U4
U3
Can we remove the TTP as a
communication and privacy bottleneck?
3
Session Keys and
Removing TTP Privacy Concerns
Alice (ka)
Bob (kb)
TTP (kt)
1. E(kt, “talk to bob”)
2. Choose random KAB
3. E(ka, “A,B” || KAB)
ticket = E(kb, “A,B” || Kab)
4. E(Kab, “Hi.”)
ticket = E(kb, “A,B” || Kab)
5. D(kb, “A,B” || Kab)
D(Kab, “Hi.”)
Basis for
Kerberos
4
Security Analysis
Suppose (E,D) is secure (i.e., semantically secure).
✓ Eve sees messages, but learns nothing about kab
✗ TTP needed to set up every session
✗ TTP can decrypt everything
Alice (ka)
Bob (kb)
TTP (kt)
Eve Sees All Traffic
5
Key question
Can we generate shared keys without an online
trusted 3rd party?
Answer: yes!
Starting point of public-key cryptography:
• Merkle (1974), Diffie-Hellman (1976), RSA (1977)
• More recently: ID-based enc. (BF 2001), Functional
enc. (BSW 2011)
6
The Diffie-Hellman Protocol
Whitfield Diffie
Martin Hellman
7
Bob
Alice
Eve
Goal: establish shared key for security against
eavesdroppers without a TTP
8
Discrete Log: A Review
Recall: Logarithms are the inverse of exponentiation.
by = x is equivalent to logb(x) = y
Consider arithmetic mod p, where p is a prime. The
discrete log to the base b of x is an integer y such that
by mod p = x.
Example. Let p = 17. Then:
34 mod 17 = 81 mod 17 = 13. So 34 = 13 (mod p)
And the discrete log3(13) = 4
9
Discrete Log Example
Fix a prime p>2 and g in (Zp)* of order q.
the function:
f( x ) = gx in Zp
Consider
Now, consider the inverse function:
Dlogg (gx) = x
where x in {0, …, q-2}
Example: Let g = 2 in Z11. Dlog2(2x)=y s.t. y = 2x mod 11
gx
1
2
3
4
5
6
7
8
9
10
Dlog2(gx)
0
1
8
2
4
9
7
3
6
5
2x mod 11
20=1 21=2 28=3 22=4 24=5 29=6 27=7 23=8 26=9 25=10
10
Easy: Given b, y, and p, compute by by mod p
– See “Handbook of Applied Cryptography”,
available free online
Believed Hard: Given b, p, x, compute y such
that by mod p = x.
The “Discrete Log” problem
A candidate One Way Function
11
Key Exchange with Discrete Log
Setup: Fix a public large prime p (~600 digits ≈ 2048 bits) and
a public number g between 0 and p.
1. Pick a from [0,p-1)
2. Pick b from [0,p-1)
3. ga mod p
Alice
5. Compute
k = (ga)b mod p
4. gb mod p
Bob
5. Compute
k = (gb)a mod p
6. Use k for symmetric (authenticated) encryption.
12
1. Pick a from [0,p-1)
2. Pick b from [0,p-1)
3. ga mod p
Alice
4. gb mod p
5. Compute (ga)b mod p
as secret key
Bob
6. Compute (gb)a mod p
as secret key
Eve
Eve observes: g, ga, gb
Goal: compute a (or b) (i.e., calculate the discrete log) or
compute gab
13
How hard is the DH function mod p?
Suppose prime p is n-bits long.
Best known algorithm (GNFS)*:
Sym Key
Modulus
80 bits
128 bits
256 bits (AES)
1024 bits
3072 bits
15360 bits
Elliptic Curve
Canbits
we do DH
160
another way that
256isbits
faster?
512 bits
Slow transition to elliptic curve
* O-hat means left lots of lower-order terms off
14
Elliptic curve
Diffie-Hellman
15
MITM Adversary
As described, Diffie-Hellman is insecure against
active Man In The Middle (MITM) attacks
Alice
MITM
Bob
ga mod p
gm mod p
gm mod p
gb mod p
gma mod p
gmb mod p
16
Public Key Encryption
17
Alice
E
c
Public Channel
c
D
Bob
Eve
Last few slides: establish shared key (only)
without TTP. What about actual encryption?
18
Public Key Encryption
Public KeyBob
Alice
E
c
Private KeyBob
Public Channel
c
D
Bob
Eve
19
Public Key Encryption
Def: a public-key encryption system is a triple of algorithms
(G, E, D)
• G(): randomized alg. outputs a key pair (pk, sk)
• E(pk, m): randomized alg. that takes m∈M and outputs c
∈C
• D(sk,c): determisitic alg. that takes c∈C and outputs m ∈ M
or ⊥
Consistency: ∀(pk, sk) output by G :
∀m∈M: D(sk, E(pk, m) ) = m
Note: Without randomization, an attacker can determine
E(pk,m1) = E(pk,m2) when m1=m2
20
Semantic Security
For b=0,1 define experiments EXP(b) (i.e., EXP(0) and EXP(1)):
b
Chal.
(pk,sk)G()
pk
Adv. A
m0 , m1  M : |m0| = |m1|
c  E(pk, mb)
b’  {0,1}
EXP(b)
No query encryptions of
messages. Why?
Def:
Enc =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A:
AdvSS [A,Enc] = |Pr[EXP(0)=1] – Pr[EXP(1)=1] | < negligible
21
Establishing a shared secret
Alice
Bob
(pk, sk) ⟵ G()
“Alice”, pk
choose random
x ∈ {0,1}128
“Bob”, C = E(pk,x)
D(sk,c) = x
x is shared key
22
Security (eavesdropping)
Adversary sees pk, E(pk, x) and wants x ∈M
Semantic security means the adversary cannot
distinguish
{ pk, E(pk, x), x } from { pk, E(pk, x), rand∈M }
Note: protocol is also vulnerable to MITM attack
23
Public key encryption: constructions
Constructions generally rely on hard problems
from number theory and algebra
24
Notation
Let N denotes a n-bit positive integer.
Notation:
(In powerpoint, we will sometimes use Zn
since it doesn’t have fancy latex fonts.)
Can do addition and multiplication modulo N
25
Intractable problems with composites
Suppose N=pq is a 1024 bit number where |p| = |q|.
Let ϕ(N) = (p-1)(q-1)
Easy Problems:
1. Computing xy mod N
2. Inverting elements. If z = x mod N, finding x-1
Hard Problems:
1. Factor N
2. Given xy mod N, compute the y’th root (when
gcd(y, ϕ(N)) = 1)
26
The factoring problem
Gauss (1805):“The problem of distinguishing prime numbers from
composite numbers and of resolving the latter into their prime
factors is known to be one of the most important and useful in
arithmetic.”
Current world record: RSA-768 (232 digits)
• Work: two years on hundreds of machines
• Factoring a 1024-bit integer: about 1000 times harder
⇒ likely possible this decade
27
RSA and Trapdoors
28
Trapdoor functions (TDF)
Def: a trapdoor func. X⟶Y is a triple of efficient
algs. (G, F, F-1)
• G(): randomized alg. outputs a key pair (pk, sk)
• F(pk,⋅): det. alg. that defines a function X ⟶ Y
• F-1(sk,⋅): a function Y ⟶ X that inverts F(pk,⋅)
∀(pk, sk) output by G
∀x∈X: F-1(sk, F(pk, x) ) = x
29
Arithmetic Mod Composites
Let N = pq
where p,q are prime
ZN = {0,1,2,…,N-1}
;
(ZN)* = {invertible
elements in ZN}
Facts:
x  ZN is invertible

gcd(x,N) = 1
– Number of elements in (ZN)* is
(N) = (p-1)(q-1) = N-p-q+1
Euler’s thm:
 x (ZN)* : x
(N)
= 1
30
The RSA trapdoor permutation
First published in Scientific American, Aug. 1977
Very widely used:
– SSL/TLS: certificates and key-exchange
– Secure e-mail and file systems
… many others
31
The RSA trapdoor permutation
G(): choose random primes p,q 1024 bits. Set N=pq.
choose integers e, d s.t. e⋅d = 1 mod (p-1)(q-1)
output pk = (N, e) ,
F( pk, x ):
;
sk = (N, d)
RSA(x) = xe
(in ZN)
F-1( sk, y) = yd ;
d
ed
k(N)+1
(N) k
d
y = RSA(x) = x = x
= (x )  x = x
32
The RSA assumption
RSA is assumed to be a one-way permutation
For all efficient algs. A:
1/e
Pr[ A(N,e,y) = y ] < negligible
where p,q  n-bit primes, Npq, yZN*
33
Textbook RSA is insecure
Textbook RSA encryption:
– public key: (N,e)
– secret key: (N,d)
Encrypt: c ⟵ me (in ZN)
Decrypt: cd ⟶ m
Insecure cryptosystem !!
– Is not semantically secure and many attacks exist
⇒ The RSA trapdoor permutation is not an
encryption scheme !
34
RSA encryption in practice
Never use textbook RSA.
RSA in practice:
RSA
ciphertext
Preprocessing
int. msg
msg
key
Main questions:
– How should the preprocessing be done?
– Can we argue about security of resulting system?
35
PKCS1 v2.0: OAEP
Preprocessing function: OAEP
msg
check pad
on decryption.
reject CT if invalid.
[BR94]
01 00..0
+
rand.
H
G
plaintext to encrypt
+
with RSA
{0,1}n-1
Thm [FOPS’01] : If RSA is a trap-door permutation, then
RSA-OAEP is secure when H,G are perfect hash
functions (technically, random oracle). In practice: use
SHA-256 for H and G
36
Is RSA a one-way permutation?
To invert the RSA one-way func. (without d)
attacker must compute:
x from c = xe (mod N).
How hard is computing e’th roots modulo N ??
Best known algorithm:
– Step 1: factor N (hard)
– Step 2: compute e’th roots modulo p and q
(easy)
37
38
Implementation attacks
Timing attack: [Kocher et al. 1997], [BB’04]
d
The time it takes to compute c (mod N) can
expose d.
Power attack: [Kocher et al. 1999]
The power consumption of a smartcard while
d
it is computing c (mod N) can expose d.
Faults attack: [BDL’97]
d
A computer error during c (mod N) can expose
d. (common defense: check output with 10%
slowdown)
39
RSA Key Generation Trouble
[Heninger et al./Lenstra et al.]
OpenSSL RSA key generation (abstract):
prng.seed(seed)
p = prng.generate_random_prime()
prng.add_randomness(bits)
q = prng.generate_random_prime()
N = p*q
Suppose poor entropy at startup:
• Same p will be generated by multiple devices, but
different q
• N1 , N2 : RSA keys from different devices ⇒
gcd(N1,N2) = p
40
RSA Key Generation Trouble
[Heninger et al./Lenstra et al.]
Experiment: factors 0.4% of public HTTPS
keys!
Lesson: Make sure random number generator
is properly seeded when generating keys
41
Questions?
42
END
Number Theory Primer
44
Background
We will use a bit of number theory to construct:
– Key exchange protocols
– Digital signatures
– Public-key encryption
More info:
http://shoup.net/ntb/ntb-v2.pdf
http://cseweb.ucsd.edu/~mihir/cse107/
and other places across the web.
45
Modular Arithmetic
Defn: a = b mod N iff a-b = kN
Addition and multiplication work as expected, e.g.,
x(y+z) = x*y + x*z
Examples:
46
Greatest Common Divisor
Def: for integers x,y, gcd(x,y) is the greatest common divisor of
x and y.
Fact: for all integers x, y there exists integers a,b such that:
a*x +b*y = gcd(x,y)
and a,b can be found efficiently with the extended Euclidian
algorithm
Example: gcd(12, 18) = 6
2*12 + (-1)*18 = 6
Def: If gcd(x,y) = 1, then we say x and y are relative primes.
47
Modular Inversion
Over the rationals the inverse of 2 is ½. What
about modulo N?
Def: The inverse of an integer x is an integer y
such that x*y = 1 mod N, and is denoted x-1
Example: Let N be an odd integer. Then the
inverse of 2 is (N+1)/2
Proof:
48
Which Elements Have Inverses?
Thm: an element x only has an inverse mod N iff gcd(x, N) = 1
Computing: Calculate gcd(x,N) using extended Euclidian to
come up with ax + bN = 1. Then a*x =1 mod N, so a is the
inverse for x.
Example: For N = 12, we have the following invertible
elements: gcd(0, 12) = 0
gcd(6, 12) = 6
gcd(1, 12) = 1
gcd(2, 12) = 2
gcd(3, 12) = 3
gcd(4, 12) = 4
gcd(5, 12) = 1
gcd(7, 12) = 1
gcd(8, 12) = 4
gcd(9, 12) = 3
gcd(10, 12) = 2
gcd(11, 12) = 1
49
Twinkle Twinkle Little Star
Def: Let Z* be the set of invertible elements
(i.e., the set {x in N | gcd(x, N) = 1})
Example:
Zp* = {1, 2, 3, ..., p-1} for all primes p
Z12* = {1, 5, 7, 11}
50
Fermat’s Theorem (1640)
Thm:
Let p be a prime
∀ x ∈ (Zp)* :
Example: p=5.
xp-1 = 1 mod p
34 = 81 = 1 in Z5
Example Application:
x ∈ (Zp)* ⇒ x⋅xp-2 = 1
⇒ x−1 = xp-2 in Zp
(this is less efficient than extended Euclidian, and
for demonstration purposes only.)
51
Application: Generating Primes*
*not used in modern crypto, but good example
Suppose we want a large prime, e.g., 1024-bits
Step 1:
Step 2:
choose a random p from [21024,21025-1]
test if 2p-1 = 1 in Zp. If so, output p,
else goto step 1
(only a few 100 iter. needed)
Pr[p not prime] < 2-60
“Carmichael”
number
primes
Tiny set that fails test
All n-bit numbers
52
Structure of Zp*
Thm (Euler): Zp* (p is prime) is a cyclic group,
that is:
∃ g ∈ Zp* such that {1, g, g2, g3, …, gp-2} = Zp*
Def: g is called a generator of Zp*
Example: p=7.
{1, 3, 32, 33, 34, 35} = {1, 3, 2, 6, 4, 5} = Z7*
but not every elem. is a generator, e.g., 2 for Z7
{1, 2, 22, 23, 24, 25} = {1, 2, 4}
53
Order
For x ∈ Zp* the set {1 , x , x2, x3, … } is called
the group generated by x, denoted <x>
Def: the order of x ∈ Zp* is the size of <x>
ordp(g) = |<x>| = (smallest a>0 s.t. xa = 1 in Zp)
Examples:
ord7(3) = 6
ord 7(2) = 3
ord7(1) = 1
Thm (Lagrange):
∀ x∈ Zp*: ordp(x) divides p-1
54
Euler’s generalization of Fermat
(1736)
Def (Euler’s ϕ func.): For an integer N define ϕ (N) = |ZN*|
Examples: ϕ(12) = |{1,5,7,11}| = 4
ϕ(p) = p-1
For N=p⋅q:
ϕ (N) = N-p-q+1 = (p-1)(q-1)
Thm (Euler): ∀ x ∈ ZN :
*
Example:
5
ϕ(12)
x
ϕ(N)
= 1 in ZN
= 54 = 625 = 1 in Z12
Generalization of Fermat. Basis of the RSA cryptosystem
55
Solving Linear Equations
Solve:
a⋅x + b = 0 (mod N)
Solution: x = −b⋅a-1 (mod N)
Find a-1 using extended Euclidian alg.
Run time: O(log2 N)
56
Modular e’th roots
What about higher degree polynomials?
Example: let p be a prime and c ∈ Zp. Can we solve:
x2 – c = 0 y3 – c = 0 z37 – c = 0 in Zp?
Example: let N be composite. Can we solve:
x2 – c = 0 y3 – c = 0 z37 – c = 0 in ZN?
✓ Linear equations
✓ Quadratic equations
✗ Higher powers of composite N
(believed to require factoring)
57
Representing Big Numbers
Representing an n-bit integer (e.g. n=2048) on a
32-bit machine
32 bits
32 bits
32 bits
⋯
32 bits
n/32 blocks
Note: some processors have 128-bit registers (or
more) and support multiplication on them
58
Arithmetic
Given: two n-bit integers
• Addition and subtraction:
linear time
O(n)
• Multiplication:
– naively O(n2).
– Karatsuba (1960): O(n1.585) Basic idea:
(2b y2+ y1) with 3 mults.
– Best (asymptotic) algorithm:
(2b x2+ x1) ×
about O(n⋅log n).
• Division with remainder: O(n2).
59
Exponentiation
Finite cyclic group G (for example G = ZP)
Goal: given g, x in G, compute gx
Example: g53. x = 53 = (110101)2 = 32+16+4+1
Then: g53 = g32+16+4+1 = g32⋅g16⋅g4⋅g1
g ⟶ g2 ⟶ g4 ⟶ g8 ⟶ g16 ⟶ g32
g53
60
Repeated Squaring Algorithm
Input: g in G and x>0
Output: gx
Square and Multiple(g, x)
write x = (xn xn-1 … x2 x1 x0)2
y⟵g , z⟵1
d
for i = 0 to n do:
if (x[i] == 1):
y ⟵ y2
output z
z ⟵ z⋅y
example: g53
y
z
g2
g4
g8
g16
g32
g64
g
g
g5
g5
g21
g53
61
Running times
Given n-bit integer N:
• Addition and subtraction in ZN:
linear time T+ = O(n)
• Modular multiplication in ZN:
naively T× = O(n2)
• Modular exponentiation in ZN ( gx ):
O( (log x)⋅T×) ≤ O( (log x)⋅n2) ≤ O( n3 )
62
Easy and Hard Problems
63
DLOG: more generally
Let G be a finite cyclic group and g a generator of G
G = { 1 , g , g2 , g3 , … , gq-1 }
( q is called the order of G )
Def: We say that DLOG is hard in G if for all efficient alg.
A:
Pr g⟵G, x ⟵Zq [ A( G, q, g, gx ) = x ] < negligible
Example candidates:
1. Zp for large p
2. Elliptic curve groups mod p
64
Easy problem
Given composite N=pq, where p and q are
large primes, and x in ZN find x-1 in ZN
65